Stop using SMB1

In September of 2016, MS16-114, a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.

The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle :).

If you don’t care about the why and just want to get to the how, I recommend you review:

The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!

As an owner of SMB at MS, I cannot emphasize enough how much I want everyone to stop using SMB1 https://t.co/kHPqvyxTKC

Multichannel & SMB Direct (3.0+) – aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server, plus usage of modern ultra-high throughout RDMA infrastructure

You run old multi-function printers with old firmware in order to “scan to share”.

These will only affect the average business or user if you let them. Vendors are moving to upgrade their SMB2 support – see here: https://aka.ms/stillneedssmb1 For the ones who aren’t, their competitors are. You have leverage here. You have the wallet.

We work carefully with partners in the storage, printer, and application spaces all over the world to ensure they provide at least SMB2 support and have done so with annual conferences and plugfests for six years. Samba supports SMB 2 and 3. So does OSX and MacOS. So do EMC, NetApp, and their competitors. So do our licensed SMB providers like Visuality and Tuxera, who also help printer manufacturers join the modern world.

A proper IT pro is always from Missouri though. We provide SMB1 usage auditing in Windows 10, Windows Server 2016, and Windows Server 2012 R2/Windows 8.1 via an update, just to be sure. That way you can configure your Windows Servers to see if disabling SMB1 would break someone:

Set-SmbServerConfiguration –AuditSmb1Access $true

Then just examine the SMBServer\Audit event log on the systems. If you have older servers than WS2012 R2, now is good time to talk upgrade. Ok, that’s a bit extortionist – now is the time to talk to your blue teams, network teams, and other security folks about if and where they are seeing SMB1 usage on the network. If they have no idea, they need to get one. If you still don’t know because this is a smaller shop, run your own network captures on a sample of your servers and clients, see if SMB1 appears.

Day 700 without SMB1 installed: nothing happened. Just like last 699 days. Because anyone requiring SMB1 is not allowed on my $%^&%# network

Update June 30, 2017 – You have probably seen me announce this on twitter and in other public venues: Windows 10 RS3 (Fall Creators Update) and Windows Server 2016 RS3 have SMB1 uninstalled by default under most circumstances: https://aka.ms/smb1rs3. The full removal has begun. Make sure you check https://aka.ms/stillneedssmb1 for products that may require updates or replacement to be used without the need for SMB1.

Update July 7, 2017:if your vendor requires disabling SMB2 in order to force SMB1, they will also often require disabling oplocks. Disabling Oplocks is not recommended by Microsoft, but required by some older software, often due to using legacy database technology. Windows 10 RS3 and Windows Server 2016 RS3 allow a special oplock override workaround now for these scenarios – see https://twitter.com/NerdPyle/status/876880390866190336. This is only a workaround – just like SMB1 oplock disable is only a workaround – and your vendor should update to not require it. Many have by now (I’ve spoken to some, at least) and their customers might still just be running an out of date version – call your suppliers.

SMB1 removal isn’t hard

Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.

A key point:when you begin the removal project, start at smaller scale and work your way up. No one says you must finish this in a day.

Explorer Network Browsing

The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka “Network Neighborhood”). This legacy protocol is long deprecated, doesn’t route, and has limited security. Because it cannot function without SMB1, it is removed at the same time.

However, some customers still use the Explorer Network in home and small business workgroup environments to locate Windows computers. To continue using Explorer Network, you can perform the following steps on your Windows computers that no longer use SMB1:

1. Start the “Function Discovery Provider Host” and “Function Discovery Resource Publication” services and set them to delayed start.

2. When the user opens Network, they will be prompted to enable network discovery. Do so.

3. Now all Windows devices within that subnet that have these settings in place will appear in Network for browsing. This uses the WS-DISCOVERY protocol. Check with your other vendors and manufacturers if their devices still do not appear in this browse list after Windows devices appear; it is likely they have this protocol disabled or only support SMB1.

Note: we highly recommend you map drives and printers for your users instead of enabling this feature, which still requires searching and browsing for their devices. Mapped resources are easier for them to locate, require less training, and are safer to use, especially when provided automatically through group policy.

SMB1 isn’t good

Stop using SMB1. For your children. For your children’s children. Please. We’re begging you. And if that’s not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is here folks: https://aka.ms/smb1rs3

Since I don’t think many of us already use Server 2016 in production… is there an alternative for the “Set-SmbServerConfiguration –AuditSmb1Access $true” on Server 2008/2012 to check if we break something?

Unfortunately, not in box. You would need to analyze network traffic. Either promiscuously at switches/servers, or locally on servers, using a filtered capture that only looks for SMB1. NETSH can be used for this. If filtered at the capture (not after capture), the CAP files growing at all is an indication to examine.

Can you provide an example of using netsh trace specifically to capture SMB1 traffic only? I see there is an Microsoft-Windows-SmbClient provider in the FileSharing scenario, but I can’t figure out how to specific capture on SMB1 traffic. Thanks.

Let me see what I can find. I’m also seeing that NetSh/NetEventPacketCapture don’t want to go as granular as I was expecting. Will get back to you.

2 years ago

clint

Perhaps Message Analyzer would be better suited? I don’t really have any experience with it but maybe you could inquire internally with the team?

Ideally I’m looking for something that would capture only SMB1 traffic (so the capture doesn’t become huge) and then I could write some PowerShell code to parse the capture and get a unique list of IPs that are still using SMB1.

Hi. Sorry, I lost track of this. I actually went back to the NETSH tracing team about this and they simply deferred to using Message Analyzer with a capture filter, as this would require crazy blob filters. 🙂 So yes. Getting a capture of just SMB1 in Message Analyzer is easy, it’s just a capture filter of “SMB1” and a circular buffer of a size that you specify so as not to fill up the hard drive. That’s it. MA also has PowerShell if you want to automate all this on a bunch of machines.

I was hoping to let you avoid putting the tool all over the place. Sorry. :/

2 years ago

Stephen

So I’ve got a 2008 R2 file server. I’ve installed Message Analyzer. Can’t run it at all because I keep getting “Enable session “MMA-ETW-Livecapture-22efa55a-e005-4611-ab59-2f23e590eb42” failed.

When you say “Getting a capture of just SMB1 in Message Analyzer is easy, it’s just a capture filter of “SMB1” and a circular buffer of a size that you specify so as not to fill up the hard drive.”, would you mind adding a bit more detail so that I can try to figure out how to capture SMBv1 traffic to see if anything is still using it? I’d love to disable SMBv1, but finding out if it’s still in use isn’t as simple as I’d hoped.

Stephen, this just sounds like a bug. I don’t have insights into why MA might fail to start. Have you contacted the MA team?

2 years ago

clint

Agree with Stephen. More detail would be great especially given the most recent Patch Tuesday fixing a bunch of SMB1 vulnerabilities. I never did figure out how to do this with PowerShell and Message Analyzer.

Wally, you can audit clients being denied access to your shares after disabling SMBv1 if you’re running Windows Server 2012 or 2012 R2.

“If an SMB client connection is denied because the server running SMB 1.0 has been disabled, event ID 1001 will be logged in the Microsoft-Windows-SmbServer/Operational event log. You can find the name and IP address of the denied client in the event log details.”

It will tell you that *someone* connected trying to use SMB1. But it doesn’t provide client name or IP. It’s just a hint we added, but I frankly consider it useless to look for without the name/IP auditing info, unless you are already sure you have zero SMB1 – in which case it is differently useless. 🙂

It will require you looking at the network, via captures on servers (See NETSH Scenario tracing) or with your networking team just analyzing at the router or switch points. Unfortunately we don’t have these auditing tools in older OSes – but I’m not opposed to backporting them if you contact me offline and plead your case and business justifications.

Well this is very much like Powershell v2, IPv4 and NetBIOS – as an IT admin I wish I could get rid of it but I can’t. Partially, because Microsoft very own software still uses it and no fix (except “wait till you migrate in ten years”) has been provided.
I’m working on old versions of Dynamics/Dynamics CRM/Biztalk etc. and unless I want to get fired I won’t even try to disable SMB1.

Other reasons include non-Windows systems like Mainframe (AS400 by example), old drivers, old Windows OSes, old business applications etc.

If you want to push your customers out of SMB1, why not help them to do with a dedicated diagnostic tool ? And, by example, add it to the Windows Assessment Toolkit, as it is the most likely MS tool you’ll use if you prepare a migration ?

I do understand the security issue tough – no hard feelings. But business apps beat security pretty much everyday.

I would be very surprised if any of those apps depend on (or are even aware of) the different versions of SMB. Now, if you are running them on old *servers* that are no longer supported, that’s a different story. 🙂 Can you point me to some docs that state those apps will not work with SMB2+? Or some lab evidence? We are eager to wipe out any real blockers on our end.

If you run SMB1, you and your data are trivially owned by even a rudimentary script kiddie attacker – it’s that simple, I’m afraid. You must decide if this is worth the risk. As mentioned above, we do provide some auditing tools. The WAT is an interesting idea, but fundamentally, you already have what you need. It might suck, but you have it. 🙂

There is an issue with OPLOCKS and ISAM databases accessed by multiple users over a network – With OPLOCKS enabled, it can result in database and index corruption. In the past (ie. before SMB2), the solution was to disable OPLOCKS. However, as of SMB2, OPLOCKS can no longer be disabled and therefore the solution is to (1) disable SMB2/3, (2) re-enable SMB1 and (3) disable OPLOCKS.

However, as mentioned here, disabling SMB2/3 has security issues.

I asked Microsoft about this and they suggested disabling Leasing. However, I later found another Microsoft article that stated that disabling Leasing does NOT disable OPLOCKS so Microsoft then said my only option was to disable SMB 2/3 and re-enable SMB1 with OPLOCKS disabled (but they did not mention these security issues!)

Is that true or is there another way to keep SMB2/3 enabled but prevent the problems associated with OPLOCKS on ISAM databases?

We are working with vendors that open their files in ways that cause these problems. If you share the vendor name with me – in private if you prefer – I can tell you if we’ve been chatting with them. Disabling leasing is always the wrong answer – the right answer is fixing the app or fixing a bug in SMB.

Unfortunately, we do not have a reproducible test case to share with you. Since we also offer a SQL alternative to ISAM, we always recommend that our clients use that instead which is not affected by these issues. Some of our smaller clients, who are more price-sensitive or lack the necessary IT skills/resources, prefer our ISAM embedded database to that of SQL. These clients are typically smaller with only a handful of concurrent users. However, a few of them can have more users (eg. 10) and, under heavy usage, can result in index file corruption and sometimes database corruption also. We have never seen these issues in our SQL installations so we have to assume it’s caused by the oplocks issue in addition to this being a well known issue in the ISAM database community. As it stands, the ISAM community’s solution for this is to re-enable SMB1 with oplocks disabled and no one mentions the security issues in their documentation!

So, ideally, it would be great if SMB 2/3 could be modified so that it could distinguish between regular files (eg. a Word doc) being accessed over the network as opposed to a database file that can be updated frequently in a very short period of time – In that case, it would automatically disable all local caching and oplocks features. Perhaps this could be accomplished by allowing specific folders to be identified to Windows Server to be excluded from these performance features or maybe a new value passed to the Windows function when opening the database file (eg. CreateFile) to instruct Windows Server from including it in the caching/oplock framework. Failing that, it would be great if we could disable oplocks and any other related features (Leasing?) while still being able to use SMB 2/3.

Too bad the ISAM community is wrong. They are corrupting data with this old-style implementation. 😐 They are not writing through data, they are caching everything, they are opening handles unsafely, they are not using byte-range locks – all of it is a massive data loss scenario, even on a lone local computer if it loses power. They are simply magnifying the problem by adding more users and more points of failure, and making the loss more likely to affect more people at once and be more noticeable. These are all bad practices that have been solved for decades by most other apps (as you mentioned, SQL not having any problems, for instance).

We’re noodling on a similar idea to allow you to say “no, I want these clients connecting to this server to do their crazy bad crap and everyone else gets safe proper SMB semantics.” We have another vendor doing similar dangerous things and if we can make them happy, it should work for all the others. Your data will still be unsafe, but it won’t be anything to do with SMB at that point. More info when I have some to share (it will rate its own blog post, TBH).

Sorry if I come across all edgy here, it’s just that this whole scenario really ticks me off. Rather than writing good code in an app, the whole OS has to change and everyone else’s apps have to become slow and unsafe. It’s really unfair to a bunch of innocent bystanders.

Yup, that’s why we always recommend SQL to all our clients, even the small ones. However, the client (sometimes) wants what they want regardless of what you tell them. It’s too competitive these days to force your opinion on the client so we must give them what they want.

Keep in mind that Windows has been around for a very long time and there are many legacy apps out there that have stop being developed but companies still rely on them to run their businesses and therefore they need Windows to support them too. Yes, I know this is frustrating but it’s a fact of (business) life.

A solution that would allow a per file/folder/instance as opposed to a complete disabling of the SMB features (eg. oplocks, leasing, caching, etc) would be ideal as it would help with ISAM apps but not adversely affect the other ones.

Where should I look for updates on the development of this “noodling” you are contemplating?

One of our products is developed in a very old database software called FilePro. Filepro is an ISAM database with indexes and all that b-tree and c-tree searching stuff.

I am trying to find a way to get it to work with SMB3. Our usual practice on new deployments is to disable everything but smbv1 and disable opportunistic locking. But doing this makes queries and reporting run very slow.

However we recently upgraded to server 2016 and I noticed that you can turn off opportunistic locking and file leasing and caching via powershell. I have done this and powershell still shows that SMB client connections are still communicating with SMB3 dialect.

So far I have only done basic testing and havent simulated many users on the system to see if data corruption and other issues occur. However, with SMB3 enabled, database queries and reporting performance is extremely fast!

Is it really possible to disable op locks on server 2016 with smb3.1.1?

What are the PS commands or reg entries to do this. I would love to pass this info on to our software vendor, Applied Systems. Though I would hope they are already aware of this if it’s true.

We pay a couple thousand dollars a month in support, maintenance and licensing fees for software that requires SMB1 be enabled. They have a modern SQL backed system but we aren’t changing any time soon. SMB1 is particularly bad over a wan. Luckily we have a decent Citrix infrastructure and they support terminal services environments.

I would love to disable SMB1 in the worst way. The sad thing is the vendor supports hosting the DB files on server 2012R2 and supports windows 10/server 2016 clients! Ugh…

Ack! Yes, sorry for not responding – I tweeted it but didn’t come back here 🙁

Windows Insiders build 16215 now have option called “LeasingMode”. This allows admins to stop leases & oplocks, like SMB1. This is a share-level feature (i.e. a flag you set on a share), so to test for now you’d need to use a Win10 client as a “server”. If you have access to the Windows Server 2016 TAP it’s there too, naturally. There is no need to run a modern Windows Client to make use of this.

Could you shed some light on how to fix the issue in the app? Is there a way to open a file without writes caching?

Or perhaps a way for the app to request that the redirector flushes the locally written data to the server? I suppose FlushFileBuffers() would do it, but since that also flushes to physical media it seems like an expensive price to pay.

I suppose the real question is, if y’all feel this strongly, why is SMB1 still enabled by default on Server 2016 and Windows 10 1607? I’d think that having the component there as an optional install is good, but having it on by default is bad. Why not have security first. Those who need it can enable it.

Because when your protocol runs on 2 billion computers and you decide after 25 years to turn it off, if only 1% of machines are affected, people get upset. Because people love their terrible networked printers and NAS appliances and legacy storage arrays, with their terrible firmware, from their terrible manufacturer, who does not give a crap about security or updates or modern protocols or anyone.

Don’t you think I’d just turn this off if I didn’t have a compelling reason? I’m not a complete ass-hat. Maybe a partial one… 🙂

You have reached the SMB1 complaints department. Our hours are from 9-5, eastern standard time. If you wish to leave a message about something Ned’s team doesn’t own, please hang up and call 1-800-DOT-NET

So we have a problem with Windows 10 and SMB. Someone seemingly by accident configured all the print servers behind a firewall with port 139 open but not 445. The interesting thing is that no one ever noticed, because Windows 7 clients can connect to the shares and printers with no issues. However, we are now testing Windows 10, and Windows 10 cannot connect to the shares at all, they just get a network path not found error.
So the obvious fix is a firewall change to open up 445, which we will do. As a temporary work around you can also force SMB1 on the Win10 clients and they can then connect, however obviously this is less than ideal.
So what is happening is that Win7 clients are dropping down to SMB over NetBIOS over TCP on 139 (presumably using SMB1), however the Win10 clients are unable to do that.
Is this by design? I cannot find anything that indicates that this is intentional behaviour. If SMB 1 was disabled by default on Win10 it would be understandable, but otherwise it looks like an SMB bug in Windows 10. Or was support for NetBIOS over TCP dropped in Win10?
Thanks

If the client implements SMB 3.1.1, the DialectRevision in the SMB2 NEGOTIATE Response is 0x02FF, and the Connection is NetBIOS over TCP, the client MUST close the connection. The client MUST establish a new connection to the server, as specified in section 3.2.4.2.1, by providing the ServerName and TransportIdentifier indicating Direct TCP transport.

Totally not your problem, but I had to force Macs running Sierra to use SMB1 when talking to our NetApp running 7-mode 8.2.4. Otherwise it’s super-slow when enumerating folders you don’t have access to. 8.2.4 is the last 7-mode release, so it’ll never be fixed by NetApp, and good luck getting Apple to fix bugs. Fortunately we’re going to migrate the shares to a Windows VM soon, but it still sucks.

Here is the script I am using for our clients, it would be easy to modify for servers if you need to. It creates a file C:\SMB1Gone that it uses to know it has been ran on that machine since Get-SmbServerConfiguration | Select EnableSMB1Protocol always shows true 😉

For later Win OSes (Windows 8.1 and later, Server 2012 R2 and later), a single action can be used removing SMBv1, uninstalling Windows Feature “SMB1.0/CIFS File Sharing Support” but the details to implement are slightly different on Server SKUs vs Non-Server SKUs.
Although Andrew’s methods summary in comments above helped me with older OS versions, the new OS versions don’t break down the way he described because the Server Manager cmdlet Remove-WindowsFeature does not apply to non-Server SKUs (no such cmdlet), and the DISM cmdlet Disable-WindowsOptionalFeature -Online cmdlet works on Server but seems redundant with the other recommended option cmdlet for the Server flavors.

Because if I gave out a widespread removal script, it would be like throwing a bomb over my shoulder. People would simply run it without thought because it came from MS. You must always approach protocol removal with caution when you are responsible for 2 billion computers. That’s why I provided all the necessary info on how in 2696547 and leave it to IT pros to decide how they want to do it with their umpteen hundred methodologies and 3rd parties. 12% of all SMB communication worldwide is still SMB1.

In the coming days I’ll be outlining what we’ll do to alter future OS releases. But touching all existing machines automatically when there is significant ‘legitimate’ (at least to 3rd parties) reasons for running SMB1 requires caution. Unless you want me shutting off heart monitors without anyone knowing about it! 🙁

Hello Ned! Would you be able to help get KB2696547 (the KB article that discusses disabling SMBv1 linked in your article) updated to include modern OS versions. Specifically:
1. The Applies To section includes Windows 10, but does not include Server 2016.
2. Neither the title nor the body of the article include any information on Windows 10, Server 2016
3. Neither the title nor the body of the article include any information on disabling SMBv1 on Server 2012r2 nor Windows 8.1.

I posted this as feedback on the KB article page, but I don’t know if those comments are read so I figured I would let you know also. This will help offer an official, single and complete article that discusses how to disable SMBv1 on all currently supported Windows versions.

I will echo what some others have stated and would love to see a GP for this too.

My psychic powers knew you wanted this and updated the article last week, even though I had missed your request due to our commenting system alerts being broken. 🙂 Hopefully this takes care of everything.

I have been reading the available information on disabling SMB1. It feels a bit like Microsoft support in writing KB2696547 got very caught up in detailing the different commands available in their different operating systems.

When you boil it down however. . . there are in fact only 3 registry changes required to disable SMB1 on all windows systems.

I am posting here requesting that this be confirmed by MS support if possible, because KB2696547 as it’s written doesn’t spell this fact out. Instead it makes the process for disabling SMB1 look much more confusing than it is.

If you’re using Powershell, the following 3 registry set commands will enact the required values to disable SMB1. Server reboots will still be required after these settings are enacted.

You are partially correct – in the end, disabling and enabling is controlled by registry values; however, the recommendation on later OSes is to remove the feature, not disable, so those registry examples are not optimal. The real recommendation is to use the *one* step of removing SMB1 as a feature, starting in Win8.1/2012 R2. That is better than disabling services.

More procedurally though: using registry edits is not our preference – using the actual SMB PowerShell is our preference. We document all of the methods based on OS, and some OSes simply didn’t allow a clean experience. So there are a bunch of examples here. The article is designed to be comprehensive, not minimal.

Thank you for the reply and your insight. I do appreciate how comprehensive the KB is, and that there’s a focus on using SMB powershell for corrective actions.

In my case, I began looking at the KB from the perspective of wanting to enact specific changes at an organizational level across the spectrum of listed windows operating systems. As I reviewed the KB, I believed I needed to work up a scripted solution that would accomplish sifting through my AD computer lists, recognize operating system versions and then enacting required commands for those systems. Working through my script build logic, I found that the commands for each OS translated into the same reg values on each OS I needed to change. . . having spent a bit of time before reaching this conclusion I likely posted here a bit more annoyed about it than I should have. Sorry about that.

However I still feel that it should be noted somewhere that these registry values can at least be used to Disable / Enable SMB settings across all supported MS operating systems. Registry values being a preferred methodology of change or not; if it’s made more clear that those values can affect disable / enable of SMB on all supported OS’s, Admins / support staff can build group policies, or make scripts which affect those values at more organizational levels, and not get mired in “different controls for different systems” thinking.

I appreciate that the recommendation with newer operating systems is to remove old SMB feature entirely. And yet on a brand new install, it’s there by default. :/ Of course with sysprep and imaging it’s possible to ensure new servers / workstations don’t have the feature. . . but honestly, my first approach to turning off something like SMB1 on my existing windows servers, it’d disable the services it for a week or more, and then remove the feature.

I want to clear up my own spreading of mis-information on this issue. The registry keys I listed are on the right track, but I was mis-understanding a bit. The goal is disabling SMB1, but allowing SMB2/3 to function.

-flag SMB1 for disabled on the Server service.
-flag SMB2 for enabled on the Server service.
-changes the dependencies for the workstation service to no longer require SMB1 services (mrxsmb10).
-disables the mrxsmb10 service from starting.
-sets the mrxsmb20 service to auto-start

Thank you for a great article, hopefully more IT managers will find it and implement your recommendations; if it isn’t already, this information should be added to Windows security “best practices” guides. We have been disabling SMBv1 on all of our Windows boxes but have run into an issue on Windows Server 2016. We were hopeful the issue would be resolved in the March 2017 Windows Updates given there were 2 patches addressing SMB specifically, but the issue still is present.

However, when we disabled SMBv1 on Server 2016 (Remove-WindowsFeature FS-SMB1), all SMB shares broke, no shares were accessible from any Windows clients, instead of connecting to the share, a credential pop-up box is presented and even valid credentials don’t work. The error logged is:

On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.

So, support for network neighborhood browsing is going away with the new versions of SMB v2>? How do applications or users file explore the network for shares that they can’t remember the path or they don’t have a mapped drive to it going forward?

It went away 10 years ago. The computer browser never had support for SMB2 or later; most apps and interfaces changed to things like UPnP, MDNS, Bonjour, etc. All your computers also blocked this by default at the firewall. If your users browse this way, you will have to turn SMB1 back on and let the browser come back, and accept all the security risks of anonymous device browsing and connections. As with everything I mentioned, you have the option to run legacy forever.

Note: we have broken this browsing multiple times through bugs in W10, and hardly anyone complained. This particular aspect of network browsing is used by almost no software in years, because it doesn’t scale and users in all but the tiniest environments cannot browse due to network router and switch rules. Plus IT pros preferred to map them drives unless the users themselves were IT pros.

For most home users the HomeGroup may suffice, but just about every small(er) business that I have seen regularly uses the network neighborhood for browsing. Without AD and SMB1 there will be no graphical way to browse computers, right? Or did I miss some option?

In a smaller business seems like it would be much better just to automatically map the users some drives instead of making them learn browsing (which won’t work if they add networks, change workgroups, etc.). Computers will still appear in NN via UPnP, MDNS, Bonjour, and other tech, just not computer browsing via NetBIOS. If they want to keep it, SMB1/browser can be turned on/left on. When we start to disable SMB1 in coming Windows release, this will not affect small business or home users though, as those Home and Pro SKUs will not have SMB1 removed by default.

While I get the logic of keeping SMB1 installed for Home and Pro SKUs, I certainly don’t agree with it and plead to have it removed by default for fresh installs of all modern Windows SKUs. Having to support a diverse population of enterprise, small business, and home office/personal systems, I cannot stress how much I’d prefer to get a call from a home user having just freshly installed the latest OS or having received a new computer from a retailer and not being able to connect to an antiquated MFP or NAS device or browse via NetBIOS. Explaining the pros/cons of adding the legacy protocol and how to mitigate the risks before doing so is much better than getting the call about a malware infection via an SMB1 attack. Please make this change for all SKUs!

It’s not only GUI browsing file shares via Explorer, but also business software that no longer “sees” its network targets – and fixing the first issue, fixed the second (involved adding back SMB1 to Win10, so XP could see and reach it via LAN).

Not so keen on mapped drive letters, as opens that up to simpler D:\Dir\etc. syntax, plus these drive letter mappings were brittle back in the Win9x days when we last used them. In those days, failure to reach a share via a mapped letter (e.g. when target PC was switched off) would prompt the user to delete the mapping, which meant someone would have to go and set it up again… is it still that brittle?

I think for small businesses and home networks, it’s best to be upfront about the link between SMB1 and browsing file shares via the shell’s Network folder. I’m surprised that functionality hasn’t been rebuilt on later versions of SMB – kludging fake drive letters and scratching around command prompts seems regressive to me.

I’m here from this thread (running from April to right now) where folks are struggling with broken networking from 2016 and now Build 1703…

David, you just found a nice and extremely dumb bug. 🙂 SMB1 is gone, the problem is that we also offer a separate enable/disable toggle from a previous OS version. To get this aligned: when you uninstall SMB1, also set that to false in the same batch processing. I will file a bug to fix this here in a later release. If you would like to get this fixed downlevel, please email me at nedpyle@microsoft.com and we can chat about the process.

I’d say to check the values being set in kb2696547 are set. If not, it’s still running. They only trouble is when you uninstall, the values might be dangled; in which case, simply check to see that the feature is in fact removed by asking powershell/dism.

Also, if you remove SMB1, the mrxsmb10.sys and srv.sys will cease to exist on the system and not be in the list of services to start anymore, on a Win8.1/2012R2+ system. BUt in that case I’d just be querying for the installed feature, tbh

2 years ago

Sadheesh

Hi, we are planning to remove SMBv1 via GPO part of Ransomware. but any luck to enable some registry value and track SMBv1 traffic on security log before going with the action. More worried about if some thing is still using.

On Windows Server 2016/Windows 10 you can enable SMB1 auditing. We will also be releasing that as a backported patch to Windows 8.1/Windows Server 2012 R2, probably in the near future. After that, you can use network analysis to watch for SMB1 usage. Or just turn it off then see who complains. They will find you much faster than any logging!

You are perhaps aware that File Explorer (nee Windows Explorer) has a Network root (formerly known as My Network Place or Network Neighborhood). This area lists computers on the network. My colleagues have warned me that no network computers would appear in this area if I remove the SMB 1.0/CIFS File Sharing Support feature from that copy Windows. (See your one-before-last screenshot.)

Currently, I’m testing this on a copy of Windows 10 1607. I see phones and routers listed but no computers.

Yes, as mentioned in the blog post above. Devices that do UPnP and the like will appear, while the old (frequently broken and unreliable and unreliable and DDoS’able) SMB1-based computer browser goes away when SMB1 goes away. For users, I recommend mapping them drives through automation and not having them browse around exploring the network with an unsafe protocol. For admins, they should know ways to find servers like AD and their brain :).

It’s a fair point. Unfortunately, everyone using this vile ancient turd knows it as “Network Neighborhood”, and simply calling “network” is an exercise in mass confusion. I tried to split the difference just now by calling it both. This will of course fail 🙂

When I switched to Storage server 2012 / 2012R2 running SMB3.0 ( 2.2 ) I had problems with my main application which is a Radio Broadcast Automation application. we exprienced a lot of time-out’s and hour glasses in the application, I previously did not have this problem running W2008R2 storage server and W7 clients. By forcing the 2012R2 servers to use SMB 1.0 the problem disappeared.
when i wiresharked the 2012 comms with the W7 client I saw a lot of time was used in negotiating the SMB ‘ dialect ‘ between server and client, resulting in renegotiations on the Kerberos level also. also this broadcast application is very sensitive to latency switch back to SMB1.0 did not show this negotiation. now years later I need to reinvest in a new storage solution and are not sure if the problem is realy related to the SMB level.
Can It also be a problem of oplocks ?
when I talk to the vendor of the software which is DALET, a well used vendor in the Video and audio play out and MAM systems, the say to are using the standard MS libraries ( C# and C++ ) to write there appications, so they do not interveen in the client to server comms.
I would very much like to change to server 2016 and S2D for my next storage project.
anyone can help out with the above problem ?
thanks

This is usually caused by the vendor using the ancient ISAM database format. Any chance you can find out from vendor? We have been talking to various ones about this, and most offer replacements that they themselves want customers to use.

That doesn’t make sense then if they are using SQL; ISAM is a non-relational file-based DB, SQL won’t be using SMB at all.

I’d say try again on modern Windows, see if you are still having issues. If so, ping me.

2 years ago

Stefaan Hessens

thanks for the advise
i will try it on a staging platform, but the software vendor does not support W10 as client OS for the moment, so I can not try it on a 24/7 24h production system.
I’ll let You know

2 years ago

Stefaan Hessens

Sorry for the log time it took to reply. I can not try with modern windows as these are not available for the moment
it seems the problem is caused by the oplocks mechanism.
as there is no way to disable it in SMB2.x and higher on WINDOWS SMB the only way around is my vendor say’s is using SMB1.
It seems that Oplocks CAN be disabled on the Ontap version of SMB from Netapp running SMB2 and higher

extract from the Dalet recommendation to change oplocks on a NetApp Filer

Dalet’s Recommendation concerning OpLocks
It has been a long standing recommendation by Dalet storage experts to disable OpLocks on the storage but not on clients.
Many storage-related performance problems are potentially misdiagnosed as long as oplocks are enabled on the CIFS storage volumes.
Dalet recommends disabling OpLocks on the storage but not on the clients.
SMB 2.1 Recommendations
Depending on the storage trouble, Dalet recommends two strategies:
The first one is to disable SMB 2.1, this can be done via ssh connection to the filer
Note: Disabling SMB 2.1 affects new connections only. Future connections will negotiate at the SMB 2.0 protocol level.
You should restart CIFS on the filer (or terminate CIFS Connections).
The second one is to disable OpLocks on the filer level, this can be done via ssh to the filer
and executing the following command: options cifs.oplocks.enable off
This is a permenant command.

Dalet usually recommend to start with the first one and if you still have issues continue with the second one,
If you want a fire and forget, you can perform both…

It seems we are stuck here. how come Netapp can disable Oplocks on SMB 2 and higher claiming they use the original Microsoft SMB stack and not a Samba Version, and that this is not possible on a Windows fileserver ?

See https://twitter.com/NerdPyle/status/876880390866190336 and my recent ISAM comment reply today. We have created a way to turn off leases and oplocks in latest Windows. For now, this is the only place, so your first point on not using W10 is understood but I can’t do anything about it. If you simply test this and it works, you can open a support case and request a DCR backport of the functionality back to older operating systems.

Disabling oplocks is effectively a hack and dangerous for most applications. That you have to do it means your application needs to modernize its approaches. Most vendors I speak to aren’t actually at fault – they themselves are using other licensed or free code that requires oplocks, and they often have more modern database versions that don’t require it anymore.

Netapp doesn’t use the Windows stack, they have their own stuff. deciding to handle oplocks is not a technical decision – it’s philosophical. Disabling them is bad 99.999% of the time.

I wonder what they will say when you tell them you are switching vendors. 🙂 You can contact http://www.visualitynq.com/, to find out which printer vendors they have provided SMB2 firmware to, for instance. Many OEMS will not care about your security – it appears Ricoh does not, in this instance – and now you need to vote with your wallet if you do value security. That’s the only thing a company understands.

Have you confirmed that you have the latest firmware and are you able to configure the Ricoh (via telnet or ssh) with the following settings:
smb client auth 1
smb client port 445
If so that may fix the issue.
This will also be needed when disabling NTLMv1.

I’d love to I really would, but my file servers (2008 R2) are just demanding to use dialect 1.5! The client can connect to other 2008 R2 servers and show dialect 2.1 but no my file servers refuse to use SMB 2 – they’re enabled – quite forcefully in fact using lanmanserver\parameters but no even then something is stopping them allowing the SMB2 protocol – OK OK I found when they were created they had SMB2 disabled – but you’d think that forcing the issue be making the DWORD 1 would sort it – apparently not!

There should be an option to reset SMB config – or even some tools to get the info out – the 2012 R2 SMB powershell bits are awesome, but can it be back ported to 2008 – no – oh well, life with SMB 1 continues ……….. it’s NetBIOS all over again I tell you!

I’ve started the process of switching it off, but I now have BPA throwing several messages back at me about it not being enabled, server.sys should be running etc. What is the best way to deal with these? One thing I hate is Errors/Warnings hanging around when I know they can be ignored.

Tis is complicated. If using only Microsoft Windows and Windows Server, the answer is NO.

Bu many third parties and their software use legacy operating systems to run, often with legacy protocols like SMB1. these include NAS appliances, Printers that “scan to share”, etc. I keep a running list of these on Twitter under hashtag #StillNeedsSMB1 and I will be creating a list to track them in a blog post or TechNet in the near future. If that vendor requires SMB1, you will need to contact them about updating their software.

Win7 x64
Ned, I’m confused… I still haven’t updated anything since MS quit releasing individual patches, so I’m trying to understand how to install security updates, but my head hurts and I’m giving up on that for now. For the time being, I’m blocking ports 445 in addition to a few others, and figured that I would disable SMB1, but I’m not seeing what I expected.

In Registry Editor: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, there is no entry for SMB1. within Parameters. I see mrxsmb, mrxsmb10, etc. outside of that, though.

In Windows Features: goes from Simple TCPIP services to Tablet PC Components, then Telnet Client, etc. There are no options to enable/disable SMB.

Is it possible that I’ve disabled it in the past and that’s why I’m not seeing anything?

It’s complicated. I will be explaining this more in a coming blog post. I have been working on SMB1 removal for 2 years and it’s been gone from Windows for a few months now – you just don’t know it yet. 🙂

Hmm… does this explain why “net view” has been failing to work on my home network with Windows 10 machines recently? I’ve been wondering if something has been done to limit browsing in one of the recent updates.

SMB1 removal isn’t hard
but why it installed by default even in 2012R2 ??? since its 30 years old
MS should pay attention to such critical decision
SMB1 cause a lot of damage since it was used by WannaCry

I plan to write up an explanatory post on this – will cover this as well as how to troubleshoot the third parties that will break when SMB1 is removed (which is a spoiler alert to why it was still installed)

Exactly. New versions of Windows should make such obsolete technologies strictly an opt-in process.
By turning it on, people should know what they’re doing.
Merely deprecating features they know suck is not good enough.

While I appreciate reading Ned’s blogs and learn something each time, it’s unfortunate we seem to learn about it so late.
We rely on MS as a collective to make the right decision for us IT Professionals as they understand these products inside/out.

SMB is strictly opt-in. There is no way to connect to a machine over SMB by default, at several layers. It’s also important to note that *because* of IT professionals, SMB1 is still on. Millions of you seem to love these third party devices running versions of Samba from 10 years ago… D-:

This is a very complex problem, and our solution to it will make far more people unhappy than wannacry did, trust me. Anyone here want a job owning SMB1? We’re always hiring 🙂

So, what would cause the SMB 1 feature checkbox to be grayed (greyed) out in Windows 2012 R2? I went to verify it was off, but I can’t seem to turn it off. I might try via PowerShell but now I have the question why it’s grayed out, could there be another feature reliant on it?

I have my file servers show up with that same exact issue.
Can’t uncheck a grayed out box.
So i ran the removal of the feature from Powershell and wa-la after a reboot it was unchecked.
I imagine its some stupid reason for it being that way.. probably blame it on the users like Microsoft is apt to do.
Frankly the logic makes no fucking sense, you won’t leave .net crap in and make me freakin jump through hopes to install it and other features that i do need but something that is a HUGE DAMN SECURITY HOLE is on by default!!
I really have to ask how much the NSA paid you guys to keep this on because this has their handwriting all over it.

You will see this if you go into Server Manager and click ADD instead of REMOVE for roles and features. Installed items will be grayed out, as they are already added. So yes, I am blaming it on the user in this case. ;). I’m joking of course, it’s a common mistake and I’ve done it myself a few times.

This was very foretelling when the WannaCry started heating up. All of our company’s newer clients and servers didn’t need SMB1. Just failed to realize that it’s enabled by default. But after some PowerShell chicanery all is well!

All the regular posts show methods for Server 2012 and a registry entry for Server 2008 (Supposed to be what SBS2011 was based on) however, the Server 2012 Powershell commands dont work and the registry entry for server 2008 doesn’t exist in SBS2011 registry.

Harmonic Mediagrid still uses SMBv1 only, as we’ve just found out (and we’re on the latest and greatest unreleased beta code…). We have a 700+ device environment and recently went through and disabled SMBv1 on everything. No problems except with the Mediagrid. Turns out they are using some old libraries that can’t talk smbv2/v3 (can’t imagine how many other unpatched vulnerabilities there are…). Instead of rolling back changes we deployed a small DC with smbv1 enabled just for them.

Pretty sad that this is still a problem. Hopefully wannacry and other recent events will light a fire up everyone’s ass.

I turned it off on my small office network, and all the Shared Folders on PC’s running XP, Win 10, Win 7 stopped working! The PC’s would not even appear in Network Neigborhood. Is there something i am missing that can enable Shared Folders, when turning off SMB1? Thx!

Network neighborhood cannot work as SMB1 contains the Computer Browser service; shares will absolutely still work and exist.

If you must leave SMB1 enabled in this environment for network neighborhood, I recommend configuring windows firewall on each computer to only allow from the IP addresses of the other computers inside that network. Ensure that port 445 is not allowed from the internet.

Alternatively, and better, leave SMB1 disabled and map drives to the other computers so that users aren’t browsing in network neighborhood. We stopped supporting that old way 15 years ago, it is a legacy of Windows 95.

But now that I’ve disabled SMB1 using appwiz on Windows 10 as per the article, none of my Windows or Linux shares on the LAN are visible to me in the File Explorer. I can still access them if I type out their location, but they’re not visible. How do I fix that? If it’s not fixable then it’s not worth disabling SMB1 if I cannot see any of my shares! Help.

After parsing through the comments I got my answer. It’s not possible to do with SMB1 disabled. So how would a user set up a network share on Windows so that is appears in the Network places list using UPnP (which I also thought was not secure)?

Like what if I have 20 or so shares on a few NAS servers at home. I have to map those on every device that connects to my network and then I have to remember the name of the shares when guests come over? There has to be an easier way

See previous reply. Your NAS may offer additional client software to make browsing easier – for home devices they almost always do. But for your guests you’d just tell them, the same way you’d tell them the credentials they will need to connect.

Network neighborhood computer browsing is a technology from Windows 95 that requires SMB1. That browsing capability is removed with SMB1, as they are tied together. Computer browsing does not work across subnets and allows broadcast storms and DDoS. I recommend leaving SMB1 off and mapping drives so that you are not browsing to servers to list their shares.

Another case is Windows Server 2003 Terminal login. Once you removed SMB 1.0 support on a Windows Server 2016 domain controller. The Windows Server 2003 terminal login in this domain will fail. You have to reinstall SMB 1.0 on DC, or retire WS 2013.

Yes, you should upgrade the WS2003 server; it can only use SMB1. There are many other attacks that will succeed on it that you have no patches for, and it is easily compromised regardless of SMB1. It has not been supported for two years.

Can you make a GPO to disable SMB v1 ? It would seem like the obvious best solution rather than touch each server and PC individually. Of course one needs to take into account the operating system version, maybe a separate GPO for each OS version.

How about how to disable it on WHS V1, Yes I’m still running that since I have no better option with a required legacy program what won’t work with newer WHS versions.
Heck, using the info here and several other places I can’t even FIND SMBv1 on WHS V1, so I need some guidance on how to find and disable it. It was simple on my Win8 and Win10 machines.

I am a bit confused by your blog post. I have just installed Windows Server 2016 and I used the “Get-SmbServerConfiguration” PS command to check if SMB1 is active and it gives me the following output “EnableSMB1Protocol : True” which means that it is enabled by default as you state in your article (I know that you did not provide the above command by I am assuming, maybe erroneously, that they output tells you how SMB is configured on your server) . However, when I try to remove the SMB1 from the server via the Server Manager method I see that SMB 1.0 is not installed as you show in your picture. Also when I try to use the PS command you gave I also get the exact same output as you show in your pictures which also means that the SMB 1.0 was never installed. If I then run the “Get-SmbServerConfiguration” again I get the same output as before.

So what gives? Is SMB 1.0 enabled by default on WS 2016? If it is then the commands that you give in your post do not work as they do not do anything at least in my case. If they do disable the SMB1.0 Feature how can I check it without having someone try to connect via smb1.0.

SMB1 is installed by default in all released products; the only way it can be missing out of the box is if you are using a custom image – which many companies do make. If you run “get-windowsfeature FS-SMB1” from an elevated PowerShell prompt, what does it show?

I do have a question though, as I’m getting confusing answers about some *nix products using EAP-MSCHAPv2 authentication method being the reason we have to keep using SMB1. Is this true because it’s not possible to use EAP-MSCHAPv2 over SMB2.x or is it just that they’ve not implemented it to use SMB2.x in their product for whatever reason?

Yes I am asking the vendors, but I’d like to know this so I don’t get fobbed off with change your authentication method to remove SMB1 dependency answers.

i agree with not using SMB1, but AFAIK this is the only SMB version without client side caching, which can screw up migrations on shaky network connections.
Is there any way to disable client side caching in SMB3 to avoid delayed write errors? I have to do it on OS level as I cannot change the copy tool itself. As of now I have to force my client to use SMB1 in order to prevent this.

I am on windows 10( preview and release ) using an R7000 Netgear router, and with SMB1 turned off in Control Panel I can not map my ‘network’ hard drive.
Are there options, and is there another protocol that will allow the mapped drive that is connected to my Netgear router?

You will have to ask Netgear, sorry. We don’t know what each vendor and product options are. Clearly they are requiring SMB1, but perhaps they also support SMB2 or later, and simply don’t have it turned on by default.

It’s usually safe and recommended to remove on DCs unless you are running third parties that require it to domain join. See https://aka.ms/stillneedssmb1 for more info. Even if your vendors are not on the list, you should still ask them!

I know of one tool that was created to test your local network for the EternalBlue vulnerability, and was later improved to also list SMBv1 accessible hosts. It can be downloaded from http://omerez.com/eternalblues/.

When I tested this at my home network, it found that none of my Win10 pcs were vulnerable, and that only my wlan router was offering file sharing via smbv1. So I guess now I’ll have to figure out if it can be forced to use only smbv2/3. 🙂

Hey Ned, really great to see lot of posts from you. I am having a similar problem wherein i got SMB1 running on legacy 2000 and XP systesm and host legacy applications. Can you let me know what’s the work around on this ?

1. Is there any other thirdparty feature installation can be done on this (know that we dont have any patches from MS but still wanted to check)
2. Is there any work around if we disable SMB1 on servers with any tweakings in systems ?

No workaround, those systems must be upgraded/replaced. I don’t know of any third parties in this space that retrofit Windows itself (nor that do so for Linux versions that are 17 years old either, tbh).

If you patch, you are closing those specific vulnerabilities in the server portion of SMB1 (I mean the server service, not the server OS – i.e. the part that creates shares). So you won’t get infected by wannacry, for instance. But we deprecated SMB1 a long time for other security reasons that cannot be fixed; they’re just inherent to the client protocol. So we still highly recommend removing SMB1 so that you aren’t as vulnerable to MitM attacks, for instance.

SMB1 itself is removed from most SKUs and editions in the next RS3 release. With some minor exceptions. This is in the RS3 flighting release notes and I have a KB coming shortly.

Disabling SMB1 breaks the Network Neighborhood.
In a network with only Windows 10 clients with SMB1 disabled, you will see the other clients as usual in Network Neighborhood but double clicking on any of them will give the beloved “Windows cannot access \\clientname” error with “The network path was not found” in the details.
Is there a way to re-enable browsing the Network Neighborhood without having to re-enable SMB1?

That is really great news. It means nothing more and nothing less than that you will break your entire home network (access to file shares) if you disable SMB1.
What do you advice to be used instead of file shares/shared network drives? FTP? Really?

To the guys who advised switching to SQL in place of ISAM – even if that were possible, which it is not:

The arguments against SMB1 apply to SQL, but in spades. It was developed in the days of mainframes, when physical computer security meant that there was no real need to protect against malicious database operators. It is totally unsuited to use on the Internet.

Strangely, in the early PC days we had databases which didn’t suffer from code injection, but on deciding to use databases for Web backends the clock was put back way into history, and SQL chosen. A really unwise choice, and one which is responsible for the majority of hacked and malware-ridden websites on the planet.

If any piece of software needs to be eradicated in the interests of security, it is (non-transactional) SQL. Yet, it ain’t happening. Why not, I ask?

This article is mistaken, the issue has nothing to do with any SMB version; it affects Negotiate, so even before SMB version is decided.

Internet-facing servers should be in a DMZ. Any servers in a DMZ should not allow SMB inbound from the internet. To prevent this attack, do not allow internet systems to contact machines from the internet over SMB. This advice is a best practice for all protocols, not just SMB.

Hi Ned,
Is there any chance you can reissue this blog post?
Our business is run on broker software that still uses SMBv1 and their response to this blog, was “it’s been patched…”
I’ve seen the comment relating to placing the servers in a DMZ, so we will implement that, but how can I encourage said software manufacturer to fix their s**t?

For some Ux flavous (RHEL6) you need smbv1, becasue a higher version is just not supported. And we run a couple of those with some applications with a vendor that just supports RHEL6. And we cannot business wise decommission those apps.

If we disable smbv1 just on our Windows clients (and keep m on the file servers), will that be enough safeguard from things like wannacry? We do have a closed End User Computing landscape, so we know they just use v3. But sometimes legacy cannot be pushed away,

It’s not safe for the environment, as SMB1 will still be used on the Linux machines, and SMB1 has architectural flaws with security (like guest auth support and MitM). Also if you disable SMB1 on clients that need to talk to Linux, they will simply fail to communicate with them. If you at least disable the SMB1 server on your Windows machines, they will no longer be attackable via SMB1 RCE like Wannacry.

More to the point, SMB2/3 isn’t good, because of its enforced client-side caching of data which can’t be turned off at the server. Using SMB2/3 risks loss of mission critical data from any file based database on the LAN. The situation is worse for Windows 7-10 users than for XP users, who typically won’t hit this data corruption issue while the later systems will.

For the majority of businesses, corruption of data is THE security concern. Any development which increases the risk of that is BAD.

In any case, SMB should not be used over the Internet, so where is the MITM risk going to arise from? I think I’d notice a guy crawling around under my desk with wire snippers.

These statements about caching are untrue. Please explain where SMB2 is caching your documents and corrupting them – if that were true, I’d ask that you file a bug with us.

The MitM doesn’t have to be the internet. Your laptop that is domain joined is trying to use SMB whether or not you are in the office – the get to DCs for group policy, for instance; that you are on starbucks wifi and there is an attacker listening there pretending to be your DC is a MitM attack. This is not theoretical, it’s why we created the UNC Hardening feature. And any device allowed on a switched network is now a potential MitM – there is no one under your desk.

Howdy this is somewhat of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually code with HTML.
I’m starting a blog soon but have no coding expertise so I wanted to
get advice from someone with experience. Any help would be greatly
appreciated!

If HP, to name a notably serious offender, stopped building brand new consumer- and SMB-targeted MFPs that require SMBv1 tomorrow, there would still be brand new HP MFPs being sold 18 months or more from now to unsuspecting end users who expect them to be able to save scans and received faxes to a shared folder just like the user’s guide says it can and won’t know squat about re-installing SMBv1 support. There is zero sign HP is about to stop building new consumer MFPs that require SMBv1 tomorrow or anytime soon. I don’t doubt Microsoft has been trying to tell HP and others to get off SMBv1 for six years or more. They aren’t listening, apparently. Maybe Microsoft should run some “Don’t buy HP MFPs before reading this” ads this holiday season–since HP only admits this problem in an obscure support note. Of course, HP is a YUUGE Microsoft customer, so this probably isn’t in the cards.

At least one of these postings pass this problem off as one somehow unique to owners of antiquated MFPs and routers and similar. Many very recently introduced models consumers are yet to buy are also dependent on SMBv1. HP, to name one, probably has no models stacked high on the floor of your neighborhood BestBuy or Costco that *don’t* require SMBv1.

It’s not safe to me, but it might be to you. 🙂 I only recommend leaving it enabled if you have some 3rd party device you are connecting to that only supports SMB1. And I would strongly recommend instead upgrading or replacing that third party – they do not care about basic network security if they require SMB1, which implies they don’t care about any security for your data. 🙁

That’s how it is for most devices – they update the firmware once or twice and then forget about it. Once a device has been sold, it’s not the manufacturer’s problem anymore. Which is what makes the Internet of Things so scary.

The SMB1 eradication programme is successfully underway in networks I manage!

A couple of points about network browsing using the Function Discovery Provider Host and Function Discovery Resource Publication services:

1) MSDN documentation implies that Function Discovery is deprecated. Please don’t do this! There are many users (particularly in small businesses, where training and full-time systems administration is unavailable, and a relatively high proportion of users are barely computer literate) who depend on accessing network shares through Network Neighborhood. It’s muscle memory.

2) The article mentions setting the start type for these services to Automatic. This isn’t good advice. Delayed Start is better, because Automatic introduces a race condition – if the computer’s starting up and the network isn’t available when the Function Discovery services are started, they’ll immediately stop again. It would be very useful if Microsoft could modify these services to trigger start / stop depending on when a network is available.

On MAXIMUS which has IP address 10.0.0.2, “Map network drive” refuses to connect with either “\\MAXIMUS\Maximus-Data” or “\\10.0.0.2\Maximus-Data”. I get the dreaded “Windows cannot access \\10.0.0.2\Maximus-Data”. Obviously, if I cannot map the network drive on MAXIMUS itself, the other local computers cannot either.

*** Verifications ***

Start | cmd | Run as administrator
When the command prompt opens, type the following:
sfc /scannow
There is no error.

Public folder sharing (Enable – Turn on sharing so anyone with network access can read and write files in the Public folders)
File sharing connections (Enable – Use 128-bit encryption to help protect file sharing connections)
Password protected sharing (Enable – Turn on password protected sharing)
Note: All computers use same User profile and password which show in the Credential Manager.

My previous attempt appears to have disappeared so I’ll try again and see what happens.

In the original post it says:
“Explorer Network Browsing

The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka “Network Neighborhood”). This legacy protocol is long deprecated, doesn’t route, and has limited security. Because it cannot function without SMB1, it is removed at the same time.

However, some customers still use the Explorer Network in home and small business workgroup environments to locate Windows computers. To continue using Explorer Network, you can perform the following steps on your Windows computers that no longer use SMB1:

1. Start the “Function Discovery Provider Host” and “Function Discovery Resource Publication” services and set them to delayed start.”

The screen grab below shows those services set to manual, Which is correct?

If the Network folder isn’t meant to function anymore what is the intended method of Network management in small LANs and where can we find ir described and how to set it up?

Using the Powershell commands that I found on the below website, I seem to have established that SMB1
was NOT operative on my W7 Ultimate 64bit computer. This was also borne out by the lack of an SMB1 entry in the LanmanServer\Parameters section of the Registry. I’m guessing it was disabled by the MS update that followed the WannaCry attack.

So I’m guessing its absence is correct.

But oddly, SMB2 wasn’t listed in LanmanServer\Parameters, either. So I enabled it with Powershell, and after a reboot, it’s now showing in the Registry. However, there’s nothing about any version of SMB in the Lanman Workstation Parameters.

Question 1 then: Does SMB2 need enabling in the Workstation Parameters also?
Question 2: I’m getting the impression that whether these protocols are enabled or not, they still exist within the OS?
Question 3: Does ‘Samba’ have any association with SMB protocols, or is that name just coincidental?

1. We don’t do anything to Windows 7; you have to disable it yourself. Only when you move to Windows 10 do we start automatically removing (or never installing) SMB1. Windows 7 is in its extended hands-off phase. In 18 months it will cease to be supported at all, so I really recommend moving to Windows 10.

You don’t need to do anything to SMB2 on Windows 7 and shouldn’t do anything to it, just leave it running. 🙂

2. On Windows 7, yes. On Windows 10, no. You can actually remove them from Windows 10 (and Win8, although hardly anyone uses that OS).

3. Yes, Samba contains the open source version of SMB server that you can run on operating systems like Linux. It has many versions and is quite mature. It has more than just SMB (it can also emulate a Windows Domain Controller, for instance).

We have an application that seems to get impacted when SMB1 is disables and windows SMB file clustering is used. I would like to through out behavior change we noticed with Windows updates since early 2017 (WannaCry patching days).

We have Windows 2012 R2 based SMB Clustered shares where software writes a lot of data. Quorum disk and data disk are attached to another WIndows 2008 host as iSCSI disks.

1. If we build fresh SMB cluster for file shares, no windows updates are done, everything works perfectly in terms of writing data to file shares.
2. Once we patch cluster nodes with all windows updates (till Oct 2018), we see that while writing files work that used to complete in milliseconds before windows updates now takes 4 minutes and 20 seconds (approximately) every time. Does not matter small file or large file is written.
3. If we install SMBv1 issue still exists if “Continuous Availability” is enabled. If we remove CA then issue goes away.
4. If SMBv1 is removes, does not matter if CA is enabled or not, issue would exist.
5. If we choose to access file share without cluster name being involved e.g. \\IPofActiveNode\E$\SharedFolder then issue is not observed but defeats purpose of clustering.

I did network trace as well, I see real writing happens at the end within milliseconds using ISCSI calls whereas there is something happening before that which I am unable to put my finger on.

There are no anti virus or anything else that is holding locks on the files. I am trying to find out what gets used in the code to write the files which could be causing clustered file shares to behave so badly. All I know so far is that application performs unbuffered writes.

I built a lab using virtual ISCSI disks on VMWARE as well as opposed to iSCSI disks from a storage vendor attached to host and both setups shows same issue. I do not need to write a lot of data to reproduce, I can reproduce while writing 1-2 files. It seems there is something that went into windows updates which are causing the issue. In past one of the sites decided to pursue with MS support, since normal Windows copy operations and tools like Robocopy were not running into issue, it didn’t go anywhere.

Would you know if there is any such issue reported or anyone would have come accross? Or anything that i could check from my end?